GRUB2 Secure Boot Vulnerability: Boothole

FurryJackman · July 29, 2020, 9:24pm

https://www.phoronix.com/scan.php?page=news_item&px=BootHole-GRUB2-Secure-Boot

https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot/

SgtAwesomesauce · July 29, 2020, 9:25pm

boothole

lol

Now that we’ve got this out of the way

I’m genuinely shocked nobody noticed this flaw until now.

Eden · July 29, 2020, 10:13pm

Red Hat has a good page on this https://access.redhat.com/security/vulnerabilities/grub2bootloader

FurryJackman · July 29, 2020, 10:25pm

Added to the original post.

FurryJackman · July 30, 2020, 9:25pm

Uh oh, the fix is bricking some systems: https://twitter.com/gamingonlinux/status/1288940154502238221

https://bugzilla.redhat.com/show_bug.cgi?id=1861977

Eden · July 30, 2020, 9:31pm

Thanks for finding that (red hat looks to have made a fixed shim for this bug)

As I understand there may be implications for non linux machines as well. anyone know if they released any more detail? they only seemed to go down the grub route specifically.

Eden · July 30, 2020, 10:10pm

Worth having a look over the microsoft advisory and the available mitigations

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011

MisteryAngel · July 31, 2020, 1:32am

I suppose there will be an update to grub at some point,
to fix the problem?

Eden · July 31, 2020, 11:25am

Yes. There’s is a revolution files for the accepted certificates. Microsoft won’t deploy this until 2021. It can be manually installed though (but you must be careful to check it won’t block your own system on Linux). Linux disteis have patches but a number have had some issues with no boot problems. That’s being fixed atm

FurryJackman · July 31, 2020, 7:10pm

I hope Red Hat backports a few versions of Fedora with this. Cause this is kinda serious. (Still on Fedora 28)

Eden · July 31, 2020, 7:21pm

Fedora 28 is EOL (over a year ago), it wont be back-ported

SgtAwesomesauce · July 31, 2020, 7:26pm

Is there some legacy software that’s keeping you on F28?

FurryJackman · July 31, 2020, 7:33pm

The kernel stability and stable version of QEMU that I know how to work with is the big keeper, and old versions of Waterfox.

Eden · July 31, 2020, 7:47pm

You should move to CentOS probably in that case. (after they release the grub patch )

FurryJackman · July 31, 2020, 7:56pm

Too many things are stable in my current OS state though. It’s rock solid to the point nothing breaks. No Nvidia trouble, no Blackmagic trouble, no trouble period.

Eden · July 31, 2020, 7:58pm

Except that your system is riddled with vulnerabilities. Just keep that in mind. However thats another thread i suppose.

FurryJackman · July 31, 2020, 8:01pm

Regressions for QEMU are something I really don’t want to deal with unless it’s a platform switch from X79 to X299 for example. Still can’t find that damn motherboard.

Dynamic_Gravity · July 31, 2020, 8:05pm

You really should be on something like CentOS 8.

As F28 was the distro that EL8 is based off of you should not have any trouble.

If you only want to get security fixes I can teach you how to exclude feature updates and just get security patches.

FurryJackman · July 31, 2020, 8:07pm

That’s quite a monumental task if it’s manual installation like Arch. I have a very logically laid out partition table and that’s a huge risk to mess it up.

Dynamic_Gravity · July 31, 2020, 8:08pm

It’s probably best to do a reinstallation, but its not manual like arch. There is a nice point and click style GUI.

And if you have separated out your /home then your data should be fine.

By default, LVM sets the / to a max of 50 GiB and allocates the rest to /home but during the install you can even separate out partitions for /var and such.